Selfhosted @lemmy.world Kalcifer @sh.itjust.works 5 days ago

Do you have any advice, recommendations, and/or tips for someone wanting to host a public/non-personal Lemmy instance?

If you think this post would be better suited in a different community, please let me know.

Topics could include (this list is not intending to be exhaustive — if you think something is relevant, then please don't hesitate to share it):

Moderation
Handling of illegal content
Server structure (system requirements, configs, layouts, etc.)
Community transparency/communication
Server maintenance (updates, scaling, etc.)

Cross-posts

https://sh.itjust.works/post/27913098

67 comments

We require applications, and most applications we get are extremely low effort and we don't approve them. If you have open registrations you'll be doing a lot of moderation for spam.

Run the software that scans images for CSAM. It's not perfect but it's something. If your instance freely hosts whatever without any oversight, word will spread and all of a sudden you're hosting all sorts of bad stuff. It's not technically illegal if you don't know about it, but I personally don't want anything to do with that.
- I will add that if you have open registrations you will be a target for spam and trolls, and if you don't take quick action then some other instances are likely to defederate from your instance.
  
  This depends on the instance, some will have a low tolerance and defederate pretty quickly, some instances will defederate temporarily until the spammers or trolls move to a different instance, and some won't care. But you likely won't know it's happened unless you notice you aren't getting content from that instance anymore.
  
  One other thing is that if you're going to run an instance and aren't already on Matrix, make an account. It's how instance admins tend to keep in contact with each other.
  
  [...] if you’re going to run an instance and aren’t already on Matrix, make an account. It’s how instance admins tend to keep in contact with each other.
  
  This is good advice.
- Run the software that scans images for CSAM.
  
  Which software is that?
  
  It's called Lemmy-Safety of Fedi-Safety depending on where you look.
  
  One thing to note, I wasn't able to get it running on a VPS because it requires some sort of GPU.
- If your instance freely hosts whatever without any oversight, word will spread and all of a sudden you’re hosting all sorts of bad stuff. It’s not technically illegal if you don’t know about it, but I personally don’t want anything to do with that.
  
  Yeah, this is my primary concern. I'm hoping that there are established best practices for handling the majority of this sort of unwanted content.
- If you have open registrations you’ll be doing a lot of moderation for spam.
  
  Perhaps Captchas are sufficient?
  
  The spam is not from bots, it's people being paid to spam. Captchas absolutely need to be turned on or else you get bots as well, but they don't stop the spam.
  
  I just checked and we have that turned on, too.
  
  We don't get a lot of applications. A couple per week, maybe.
- We require applications
  
  Is this functionality built into the Lemmy software?
  
  Addendum (2024-11-11T00:32Z):
  
  Ah, yeah, it looks like it is configurable in the admin panel [1].
  
  References
  
  Lemmy Documentation. join-lemmy.org. Accessed: 2024-11-11T00:35Z. https://join-lemmy.org/docs/users/01-getting-started.html#registration.
  
  "2. Getting Started". §"Registration".
  
  Question/Answer: Instance admins can set an arbitrary question which needs to be answered in order to create an account. This is often used to prevent spam bots from signing up. After submitting the form, you will need to wait for some time until the answer is approved manually before you can login.
  
  Yeah, it's just something like "Tell us why you want to join this instance". If the answer is "to promote my content" or "qq", for example, they don't get approved.
  
  It's done by the Lemmy software.
- I would just turn off media uploads entirely. It's not worth the risk or disk space.
  
  I would just turn off media uploads entirely.
  
  Do you mean also disabling thumbnails? IIUC, pict-rs handles all thumbnail generation [1]. The reason I point this out is that simply disabling image uploads won't itself stop the generation of thumbnails. There's also the question of storing/caching images that come from federated servers.
  
  Referencs
  
  Lemmy Documentation. Accessed: 2024-11-11T01:59Z. https://join-lemmy.org/docs/administration/administration.html.
  
  "9. Administration". §"Lemmy Components". §"Pict-rs".
  
  Pict-rs is a service which does image processing. It handles user-uploaded images as well as downloading thumbnails for external images.
How much server hosting experience do you have? I asked about database preferences over in Self-Hosting once and they basically all said "don't choose a database ever. Run. Save yourself while there is still time!"

So maybe use a hosting service I guess. Makes you a more difficult target for attacks but also involves your information getting out into the world in direct connection to your instance.
- I asked about database preferences over in Self-Hosting once and they basically all said "don't choose a database ever.
  
  I'm not sure I follow what you mean; Lemmy uses PostgreSQL.
- [Using a hosting service] makes you a more difficult target for attacks but also involves your information getting out into the world in direct connection to your instance.
  
  I'm not sure I understand how one's data would be leaked by the hoster.
  
  Same way things get leaked by Equifax, Twitch, US Bank, etc. You're most responsible with your information by not having unnecessary accounts or transactions.
  
  Also, most hosts have WhoIs and ICANN registrations for Domains, but you still need a domain regardless. And further than that they might allow subpeonas from various companies who request the info.
- How much server hosting experience do you have?
  
  I've never hosted a public facing social media service. I have a few years experience hosting a number of my own personal services, but they aren't at the scale of a public facing Lemmy instance.
  
  You should be good as long as you know PostgreSQL
It could be costly in a few places, so choose your host wisely:

data ingress/egress

storage (block and DB)

load balancing (if you choose to go that route)

I know that R2 has no charge for ingress/egress.

The block and db costs are technically unbounded, and will never decrease by default.
- data ingress/egress
  
  storage (block and DB)
  
  Do you have any estimations on the relationship between user count and average data transfer rates, and the average rate of storage increase?
  
  It would depend completely on how many users you let in and what kind of things they'll be doing. Some users are super heavy with uploading images, some users aren't.
  
  I haven't read the docs in a long time, but perhaps you could restrict image uploading or something. Nothing you can do about unbounded DB growth without expiring content though.
- choose your host wisely
  
  Do you have any particular recommendations for a host?
  
  I'd look into Hetzner, their pricing is pretty fair and they have some nifty features.
  
  Also check out Vultr, they have block storage and some interesting addons.
  
  That's where I'd start, but I haven't needed to host anything like Lemmy.
  
  I can tell you it will be the most expensive on AWS or Azure. That's about all I could say without pricing stuff out.

You've viewed 67 comments.